On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> What you are writing below, with far too many words is that you think > that URLs are the only identities that matter in this world, and > therefore DV certificates are enough security for everyone. Yes. This is the foundation and limit of Web Security. https://en.wikipedia.org/wiki/Same-origin_policy This is what is programatically enforced. Anything else either requires new technology to technically enforce it (such as a new scheme), or is offloading the liability to the user. Respectfully, I would encourage you to re-read both Ian's and James' research. For example, you will find that the organization being discussed is "Stripe, Inc", not "Spring, Inc" - a mistake made frequent enough to not be charitably attributabed as a typo. The question about the level of stringency on the validation requirements has also been responded to, as well as the deficiencies of "Well, they'd have to lie to do so" as a response. The remainder of your argument basically boils down to "But Banks already are offloading the liability to users when they say check for the green bar" (and that is bad, user hostile, and unsustainable), and the "Look for the corporate identity" has been shown repeatedly to be insufficient and incomplete that if that is the response you'd offer, then it's not introducing new information into the conversation. I agree that we should be concerned about potential fraud, and there are far more user-friendly technologies that can help mitigate that - as I mentioned. That doesn't mean that getting rid of EV UI is throwing the proverbial baby out - it means having the maturity to accept that some technological experiments don't pan out, and as good engineers and socially-responsible developers, we should recognize when certain features are causing systemic harm to users overall security. I realize the innate appeal to "Let users decide" by giving them an option, but a trivial survey of human-computer interaction literature should reveal the flaw in that. If that is too much to ask, reading about "Analysis Paralysis", "Decision Fatigue", and "Information Overload" on Wikipedia should all provide sufficient background context. So we have to circle back to the core question: - Is the display of the UI, as implemented today, meaningful and useful for the problems it tries to solve and the cognitive overhead it introduces to billions of users. If not, are there plans to remove it? "Showing more information" is not a viable answer - it results in a worse outcome for users. "Improve the validation" presumes that the information is viable and useful, which goes against the SOP. (Read [1] if you're not sure why that's bad) [1] http://www.adambarth.com/papers/2008/jackson-barth-b.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy